Skip to main content
Advisory & Programmes

What a good conversation with a security advisor looks like

A first conversation that delivers something is recognisable by behaviour, not by slides: diagnosis before solution, honest disclosure of interests, and an exit path named from minute one

A good first conversation with a security advisor is one in which the diagnosis comes before the solution, the advisor's own interest is on the table before any recommendation is made, and the exit path is discussed before the arrival is. It is not a demo, it is not an introduction to a proposition, it is not a pitch with an opening, a middle and a close. It is a working conversation in which the advisor first tries to understand what is going on at your organisation, only then says what they think, and makes visible what works and what does not before you sign anything. What a good conversation is, is thereby defined in a single sentence, and everything that follows is an explanation of why that is the right measure and how to use it in the conversation itself.

The way that conversation runs predicts more about the engagement than the quote that follows it. A quote is a negotiated document; a conversation is behaviour that is hard to stage. What follows is not a scoring sheet but a behavioural lens: four points of recognition in the order the conversation takes, followed by what they mean for the buying decision you make afterwards.

What should a good first conversation actually do?

A first conversation has three tasks, and all three are diagnostic, not commercial. The advisor tries to understand where your organisation stands, you try to judge whether this advisor takes you further, and together a picture emerges of whether a second conversation is worth arranging. Nothing in those three tasks calls for a product pitch. Nothing calls for a case deck. Nothing calls for a row of logos on page three.

That sounds obvious and, in practice, is not. Many first conversations in the Dutch cyber market are structurally built as a demo or a proposition presentation, because the supplier's incentives steer them that way. The advisor who has to hit a target within an hour will steer. The CISO who has to make a choice within three weeks lets themselves be steered. The conversation runs smoothly and afterwards you have the feeling that little was exchanged that you could not also have taken from a product brochure. That is no accident; that is how it was designed.

In its guidance on procuring cybersecurity services, the NCSC notes that the quality of an engagement can largely be read in advance from how far the supplier is willing to run a factual problem analysis first, before naming scope and price. That is not a pious wish; it is a pattern that consistently separates engagements that land from engagements that do not. A good first conversation, then, does not begin with an offer but with a question whose answer is not yet fixed.

Which signals tell you within fifteen minutes whether this will work?

The behavioural signals are recognisable in the order the conversation takes. None of the four requires domain knowledge to test; they require attention.

The first ten minutes are about your situation, not their offering. The advisor asks open questions about what is going on at your end, which issue you brought into the conversation, what preceded it, and how it sits within your landscape. They gather facts before passing judgement. An advisor who lands on a product category or a methodology within three minutes has recognised the phrasing of your issue as a trigger for what they wanted to sell anyway. That is not ill will; it is an ingrained reflex that kills the diagnosis before it begins.

Questions that go deeper than symptom level. An advisor who only asks what your problem is gets what the business case on page one says. An advisor who asks what sits beneath it, why you are addressing this now and not last year, who in the organisation carries it and who works against it, gets to where the problem really lies. That second conversation belongs inside the first. If it fails to happen, the recommendation later rests on the problem statement you already held yourself, and then you are buying advisory work that adds nothing to what you already knew internally.

Interests are named unprompted. The moment a direction becomes visible in which a recommendation will take shape, a good advisor tells you, unasked, what they earn if that direction is chosen. Implementation margin, licence kickback, resale, follow-on work within a specific programme. Not at the end, not in the fine print of the quote, but at the moment the direction comes into view. This is the behavioural test you cannot force. Anyone who ducks behind "we are vendor-independent" here has already answered the question without answering it.

The exit path is named early, not at the end. A senior advisor tells you from the start how this engagement would end: when your organisation can carry on by itself, which knowledge must be transferred for that, and by which outcomes you can read it. An advisor who only describes the arrival and no departure is designing an ongoing relationship. That can be a choice you make deliberately, but then it must also be a conscious one. An exit path that only comes up in the third conversation is an exit path that does not, in fact, exist.

These four signals run in order through the conversation. Anyone who reads them knows halfway through whether the second conversation is worth it, without having to consult a reference list or a quote.

What a good conversation should emphatically not do

A good first conversation avoids three things that feel comfortable and undermine the diagnosis. It is useful to name them explicitly, because they are sold in the market as quality while they signal the opposite.

No product demo in the first conversation. A demo predicts nothing about the match with your situation; it only shows that the product exists and works on someone's laptop. An advisor who offers a demo in the first conversation is telling you that their product is the entry point to the relationship. With that, the order is already reversed before the diagnosis has begun.

No reference list as evidence without context. Logos of well-known clients on a slide do not tell you whether those clients had a comparable issue, whether those engagements were finished, or whether the outcome was reached. A good advisor names one or two situations that resemble yours, says what worked and what did not, and can point back, with names and circumstances, to work that ran through to departure.

No price without scope, and no scope without diagnosis. An advisor who names an indicative price in the first conversation for an engagement whose scope is not yet fixed is buying their own room to manoeuvre. The price will be higher in the quote, or the scope will narrow during delivery. Both patterns are described in ENISA publications on procuring cybersecurity services, and a senior advisor avoids both in a first conversation by simply saying that they cannot make that statement yet.

What this means for whoever holds the conversation

For the CISO, the usable conclusion is that the first conversation gives you the most information you can get before money is on the table. Treat it as a test moment, not an introduction. Ask an open diagnostic question without giving context, watch what happens in the first ten minutes, and note the moments where interests come to the table or do not. For the CIO the test is the same, with a different emphasis: can this advisor translate the work into the architecture that is already in place, or are they trying to bend the architecture to fit their work. For the CFO the test is simpler still. An advisor who is not honest in the first conversation about what they earn from their own recommendation will not be honest about it later either. For operational teams the test is practical: do you get someone who understands how the work actually runs, or someone who plants a reference architecture over your operational reality.

A good first conversation does not deliver a sale. It delivers a decision on whether a second conversation is worth it. That is a lower bar than many advisors set themselves, and precisely for that reason a more reliable signal. What all of this predicts is what you will see later in delivery: an advisor who jumped to their solution by minute ten will jump over your reality in month three in exactly the same way. An advisor who is transparent in the first conversation about their interest and their exit path carries that transparency through the rest of the engagement too. The conversation is not an antechamber to the work; it is a first sample of it.

Advisory & Programmes

Dit vraagstuk vertalen naar jouw organisatie.